When it comes to domains, it’s important to realize they apply across all levels of CMMC maturity, forming the basic conceptual starting point in a comprehensive model framework. Take a trip back to high school chemistry and think of domains as the elements of the periodic table. You mix and match different elements to varying degrees to get different chemical compounds. In this metaphor, CMMC maturity levels are those compounds.
Where did the CMMC domains come from? According to the Office of the Under Secretary of Defense for Acquisition & Sustainment, or OUSD (A&S), most originate from “the security-related areas in Federal Information Processing Standards (FIPS) Publication 200,” as well as “the related securities requirement families from NIST SP 800-171.” They also added three domains titled Asset Management, Recovery, and Situational Awareness.
But what exactly are these domains and the capabilities associated with them?